sensors
Article
Security Enhancement of Wireless Sensor Networks
Using Signal Intervals
Jaegeun Moon 1 , Im Y. Jung 1, * and Jaesoo Yoo 2
1
2
*
School of Electronics Engineering, Kyungpook National University, 80 Daehakro Buk-gu,
Daegu 702701, Korea; [email protected]
School of Information and Communication Engineering, Chungbuk National University,
1 Chungdaero Seowon-gu, Cheongju 28644, Korea; [email protected]
Correspondence: [email protected]; Tel.: +82-53-950-7237
Academic Editors: Luca Roselli, Federico Alimenti and Stefania Bonafoni
Received: 23 January 2017; Accepted: 30 March 2017; Published: 2 April 2017
Abstract: Various wireless technologies, such as RF, Bluetooth, and Zigbee, have been applied to
sensor communications. However, the applications of Bluetooth-based wireless sensor networks
(WSN) have a security issue. In one pairing process during Bluetooth communication, which is
known as simple secure pairing (SSP), the devices are required to specify I/O capability or user
interference to prevent man-in-the-middle (MITM) attacks. This study proposes an enhanced SSP in
which a nonce to be transferred is converted to a corresponding signal interval. The quantization
level, which is used to interpret physical signal intervals, is renewed at every connection by the
transferred nonce and applied to the next nonce exchange so that the same signal intervals can
represent different numbers. Even if attackers eavesdrop on the signals, they cannot understand
what is being transferred because they cannot determine the quantization level. Furthermore, the
proposed model does not require exchanging passkeys as data, and the devices are secure in the case
of using a fixed PIN. Subsequently, the new quantization level is calculated automatically whenever
the same devices attempt to connect with each other. Therefore, the pairing process can be protected
from MITM attacks and be convenient for users.
Keywords: IoT; wireless sensor network; WPAN; Bluetooth; simple secure pairing; signal interval
1. Introduction
Many sensors are in wide use today as components of different devices (temperature sensors in
home or car heating systems, smoke alarms, etc.). Otherwise, these sensors are standalone devices
connected to a network, typically used to monitor industrial processes, equipment, or installations [1].
Various wireless technologies, such as RF, Bluetooth, and Zigbee, have been applied to sensor
communications. Wireless senor networks (WSN) are being expanded, connected, and integrated to
other networks. Therefore, they are a type of Internet of Things (IoT). In addition, electronic devices
that use wireless personal area networks (WPANs) are increasing rapidly with the advent of the IoT
era [2]. However, the threat posed by individuals attempting to eavesdrop on WPAN information or
WSN and use them inappropriately is real [3]. To address this problem, many WPANs or WSNs have
authentication processes [4–7].
One well-known WPAN or WSN is Bluetooth, which creates a link key for devices to authenticate
each other in their communication and extract an encryption key through this pairing process [8].
In addition, Bluetooth has protocols for processing the pairing. This process is composed of a sequence
of giving and receiving information and comparing the values transferred. With the Bluetooth 2.1+
BR/EDR version, simple secure pairing (SSP) has been defined and used to process pairing. Although
Sensors 2017, 17, 752; doi:10.3390/s17040752
www.mdpi.com/journal/sensors
Sensors
Sensors2017,
2017,17,
17,752
752
22of
of17
16
pairing. Although the current Bluetooth version is 4.2, Bluetooth continues to use SSP to support
the current Bluetooth version is 4.2, Bluetooth continues to use SSP to support compatibility with
compatibility with previous versions [9].
previous versions [9].
As shown in Figure 1 and Table 1, SSP consists of five phases. Phase 1 uses the Diffie-Hellman
As shown in Figure 1 and Table 1, SSP consists of five phases. Phase 1 uses the Diffie-Hellman
(DH) key exchange. However, DH key exchange has vulnerabilities to man-in-the-middle (MITM)
(DH) key exchange. However, DH key exchange has vulnerabilities to man-in-the-middle (MITM)
attacks [10].
attacks [10].
Figure
Figure1.
1. Simple
Simple secure
secure pairing
pairing with
withaanumeric
numericcomparison
comparisonassociation
associationmodel
model[9].
[9].
Toresolve
resolve
MITM
attack
problem,
SSP an
adopts
an association
model:
either
numeric
To
thethe
MITM
attack
problem,
SSP adopts
association
model: either
numeric
comparison,
comparison,
passkey
entry,
Just
Works,
or
out
of
band
(OOB).
One
of
these
association
models
passkey entry, Just Works, or out of band (OOB). One of these association models adopted in Phase
2
adopted in Phase 2 differs based on the I/O capability of the electronic devices that connect to one
Sensors 2017, 17, 752
3 of 17
differs based on the I/O capability of the electronic devices that connect to one another. The I/O
capability of the devices to be connected is exchanged before Phase 1 of SSP. The devices then choose
a single association model in Phase 2. Phases 3 and 4 check and combine both types of information.
Phase 4 then creates a link key used for authentication. An encryption key is created and encryption
is conducted in Phase 5. However, this study does not describe the detailed process that follows
Phase 2 because the proposed model employs a strain of passkey entry and numeric comparison in
Phase 2. Table 2 describes the association models based on the I/O capability of the connected devices.
DisplayOnly refers to those devices having only a display. DisplayYesNo is for those devices having
a display and input channel for inputting “Yes” or “No.” KeyboardOnly refers to those devices having
only a keyboard. NoInputNoOutput is for those devices having no I/O capability. KeyboardDisplay
refers to those devices having both a display and keyboard.
Table 1. Term of simple secure pairing with numeric comparison from Figure 1.
Expression
Description
PKx
Public key of device x
PKxx
x-coordinate of PKx
SKx
Secret (private) key of device x
DHKey
Diffie-Hellman key
Nx
Nonce (unique random value) from device x
rx
Random number generated by device x
Cx
Commitment value from device x
f1()
Used to generate the 128-bit commitment values Ca and Cb
(ex. f1(PKbx,PKax,Nb,0) = HMAC − SH A − 256 Nb ( PKb PKa08 )mod2128 )
f2()
Used to compute the link key
(ex. f2(PKax,PKbx,Na,Nb) = SH A − 256( PKax PKbx Na Nb)mod232 )
f3()
Used to compute the check values Ea and Eb in Authentication Stage 2 (ex. f3(DHkey,Na,Nb,rb,IOcapA,A,B) = HMAC − SH A − 256DHkey ( NaNbrbIOcapAAB) )
g()
Used to compute numeric check values
IOcapx
IO capabilities of device x
x
Bluetooth device address of device x
Ex
Check value from device x
LK
Link key
Vx
Confirmation value on device x
Table 2. Association model based on I/O capability [9].
Initiator
Responder
Association Model
DisplayOnly
KeyboardOnly
KeyboardDisplay
Passkey Entry
DisplayYesNo
KeyboardDisplay
Numeric Comparison
KeyboardOnly
Passkey Entry
Any equipment except
NoInputNoOutput
Passkey Entry
DisplayOnly
KeyboardOnly
Passkey Entry
DisplayYesNo
KeyboardDisplay
Numeric Comparison
DisplayYesNo
KeyboardOnly
KeyboardDisplay
Sensors 2017, 17, 752
4 of 17
OOB is known to be resistant to MITM attacks. However, the electronic devices must support
other communication methods or channels in order to apply OOB.
In numeric comparison, the devices display a number and users confirm whether the number
displayed corresponds to the device to be connected in the pairing process [9]. The association model
for numeric comparison can prevent MITM attacks. However, a display and confirmation process is
required for every connection. Moreover, if the same passkey is used, this association model cannot
prevent MITM attacks [11]. Furthermore, if the devices do not have displays, numeric comparison
cannot be applied [9]. However, the proposed model does not require display equipment.
During the passkey entry process, a given user inputs the passkey into a device and the devices to
be paired compare both passkeys [9]. For the passkey entry, each connection requires user input. If the
same passkey is used for every connection, this association model cannot prevent MITM attacks [11].
Just Works is nearly identical to numeric comparison. However, Just Works does not display
a number. Therefore, the devices to be connected omit the comparison process conducted by users and
proceed to the subsequent step. Without displaying a number, the devices cannot be alerted to MITM
attacks [12–15].
In this study, an enhanced SSP that uses signal intervals is proposed to improve SSP security and
user convenience. Specifically, the proposed scheme improves Phase 2 of SSP with numeric comparison.
This SSP includes the challenge-respond method [9]. When a random number or nonce is
transferred, the signal interval that expresses the nonce is delivered. Using a pre-defined function
and the nonce transferred previously, the matching rule based on the quantization level between the
signal interval and nonce is renewed. Specifically, the matching rule defines the quantization level
with which the signal intervals match nonces. Due to delay, error, or other interference from physical
signals, it is difficult for the intended signal interval to be delivered precisely. To reduce the error
sensitivity of the physical signals, this study introduces the quantization level of the signal interval
instead of using the analog characteristics of the physical signal [16]. Since the quantization level is
renewed, the device that knows the previous nonce can determine the next new signal interval.
During the initial step, the devices to be initially connected do not have any previous shared
nonces. Therefore, users must input a 64-bit passkey. However, this input is required only once,
that is, when the two devices are connected for the first time. Since the passkey entered by the user
is not transferred as data, should a third party eavesdrop on the signals, it cannot determine the
passkey information.
Therefore, the proposed model can also be applied in the case of a fixed PIN. This fixed PIN is
saved in the device that does not have any input method/input device. Since the devices can adopt the
fixed PIN, this association model can be applied to a case in which one of two devices does not have
input capability if they have the same fixed PIN. Regular users of Bluetooth generally use Bluetooth
communication to connect laptops, desktops, or smartphones to speakers, headsets, or earphones.
As indicated in Table 2, current devices use Just Works because laptops, desktops, and
smartphones employ displays and keyboards. On the other hand, speakers, headsets, and earphones
are NoInputNoOutput. However, if the proposed model is adopted, the devices can connect with
each other using a fixed PIN. Moreover, more than two devices attempting to pair can recognize each
other and prevent MITM attacks. In addition, the devices do not need to support other communication
methods or channels.
The proposed method has an advantage in that third parties attempting to disguise themselves
cannot determine the nonce shared between the devices to be connected. This is because they cannot
calculate the quantization level renewed at every connection. Unlike current SSPs, the proposed method
can minimize user interference. Since the passkey entered by a user is not transferred as data, if a third
party eavesdrops on the signals, it cannot determine the passkey information. Additionally, since
information to be transferred is expressed by the time interval of the physical signals, the attacker that
cannot determine the quantization level cannot determine the meaning of the signal intervals. Due to
Sensors 2017, 17, 752
5 of 17
the threat of leaking the quantization level when a fixed quantization level is used, the transferred
number is used to renew the existing quantization level. Therefore, MITM attacks can be prevented.
This study considers related works in Section 2. Section 3 describes the proposed scheme of the new
association model. Section 4 describes the results of experiments conducted in various environments
and analyzes the security of the proposed Scheme. Security of proposed model is analyzed in Section 5.
Section 6 summarizes and concludes the study.
2. Related Works
Electronic devices exchange certain information in order to authenticate one another or create
a key. In anonymous communication, devices basically exchange a given value and then authenticate
each other. In ZigBee, authentication is performed using the devices’ pre-shared master key, ID, and
nonce. By compounding the master key, ID, and nonce, a link key is created [17]. The master key is
either transferred or pre-installed. In wireless LAN, access control that uses a service set identifier
(SSID), address authentication through media access control (MAC), shared key authentication, or the
IEEE802.1x method, is used [18–21]. These methods are also implemented during communication
among devices.
However, because such communication is vulnerable to sniffing, some countermeasures are
required [3]. For example, transferring the master key through communication is vulnerable to replay
attacks [22]. Therefore, many studies have been conducted on key distribution [23,24] to resolve
these kinds of threats. Since Bluetooth has the same vulnerabilities, SSP is adopted. However, SSP
is not secure. Therefore, many methods have been proposed to supplement or replace SSP [25–27].
One method exists in which information is stored using the device ID in a database [25]. This method
uses a pre-shared password and extracts a key from the password. The key encrypted by a public
key is then delivered. However, this database must be pre-shared. Moreover, if the ID of the new
connecting device does not exist in the database, the device cannot connect. This is another case of
giving and receiving information through communication. Therefore, the sniffing threat remains. If the
inner algorithm is revealed through sniffing, this method is not secure.
Another proposal assumes a situation in which many master devices are present in a piconet,
and two given devices among the master devices create a key [26]. The key is then delivered to other
devices by means of multicast and used for authentication. However, this method cannot be used for
two-device communication and cannot check for an attacker attempting to infiltrate the piconet.
In addition, distinguishing a node or device is possible by using the analog character of the signals
generated by the node [28]. SSP is processed using this character [27]. However, this method employs
an OOB channel to prevent MITM attacks. Therefore, a device that does not support this type of
channel for other communication cannot employ this method. Moreover, the recognition rate is only
70%. Thus, identical devices that attempt to authenticate each other may fail authentication at a rate of
30% [28]. In addition, this method requires an additional server to verify authentication results.
By contrast, the proposed method does not require a piconet or an additional server. In addition,
the accuracy of our method was approximately 95% in our experiment.
Another suggested use of quantization is for an electronic device to project data onto the
space containing a random array. This would be performed after the device extracts biological data.
This model then applies dynamic thresholding and encrypts the data before transferring them [29].
Furthermore, another proposed error recovery method exists that outperforms the existing dithered
quantization method because it uses random quantization of the source signal [29,30].
3. Enhanced SSP Using Signal Intervals
The scheme proposed shows that the time interval between consecutive physical signals can
also be used to improve SSP. As indicated in [11], passkey entry has security flaws. Therefore, this
study proposes an enhanced SSP using signal intervals. This SSP is based on numeric comparison
and passkey entry for pairing devices that possess no display window. In addition, the proposed
Sensors 2017, 17, 752
Sensors 2017, 17, 752
6 of 17
6 of 16
counterpart
must have
its input
subpart
to acquire
the passkey.
Therefore,
the other
method
doesdevice
not require
an input
passkey
whendevice
the passkey
is saved
to the devices.
In this
case,
pairing
device does
notmust
require
input
subpart
device,
such as
keyboardTherefore,
[12–15]; the
the
counterpart
device
haveitsitsown
input
subpart
device
to acquire
thea passkey.
thelegacy
other
passkeydevice
entry requires
inputits
passkey
at each
pairing.
By contrast,
proposed
scheme
does
not
pairing
does not an
require
own input
subpart
device,
such as athe
keyboard
[12–15];
the
legacy
require an
input
passkey
exceptpasskey
at the at
initial
the the
initial
connection,
thedoes
current
passkey
entry
requires
an input
eachconnection.
pairing. By After
contrast,
proposed
scheme
not
nonce isanused
instead
of except
the passkey.
require
input
passkey
at the initial connection. After the initial connection, the current nonce
is used instead of the passkey.
3.1. Assumption
3.1. Assumption
It is assumed that the received signal strength indication (RSSI) of the signals is higher than −70
assumed
that loss.
the received signal strength indication (RSSI) of the signals is higher than
dbmIttoisprevent
packet
−70 dbm
to prevent
packet
loss. can falsify device addresses, each device uses its resolvable private
In addition,
because
attackers
In addition,
because [9],
attackers
falsify device
addresses,
device uses
resolvable
random
device address
whichcan
is composed
of 48
bits that,each
themselves,
are its
composed
ofprivate
24 bits
random
device address
[9], which
composed
of 48value.
bits that,
are composed
24 bits
each
each of random
value and
a hashisof
the random
Thethemselves,
devices require
a local orofpeer
identity
of
randomkey
value
and to
a hash
ofthe
thehash
random
value.
The devices
require
a local
or peer
identity
resolving
resolving
(IRK)
create
value.
To share
IRK, the
devices
should
connect
at least
once.
key
to create
the hash
value.
To share
IRK, the devices
at least
IRKprocess
is shared
IRK(IRK)
is shared
during
the first
pairing.
Specifically,
IRK isshould
sharedconnect
following
the once.
pairing
to
during
first sniffing.
pairing. Specifically,
IRK
following
pairing
process
to protect
from
protect the
it from
In Section 3.6,
it is
is shared
assumed
that thethe
devices
have
already
shared it
IRK.
A
sniffing.
In private
Sectionrandom
3.6, it is device
assumed
that the
have
already
shared IRK.
private
resolvable
address
candevices
support
device
identification
by A
theresolvable
hash value,
even
random
device identification by the hash value, even when the device
when thedevice
deviceaddress
addresscan
hassupport
changed.
address
has changed.
In addition,
the pairing devices share necessary information such as I/O capability and Bluetooth
In addition,
the pairing
devices
share
necessary
information
such asThis
I/O study
capability
and Bluetooth
address.
The proposed
scheme
must
share
additional
information.
proposes
that the
address.
Thebe
proposed
scheme
share
additional information. This study proposes that the
information
shared during
themust
paging
process.
information
shared
during the
process.
Finally,be
RTC
is necessary
to paging
obtain date
information. The date information is used to calculate
Finally, RTClevel.
is necessary
to obtain
datedevices
information.
The date
information
is used
to acalculate
the quantization
The RTCs
of the two
to be paired
can be
synchronized
using
method
the
quantization
Thepaging
RTCs of
the twoIPdevices
be paired
can
synchronized using
a method
proposed
by [31]level.
during
process;
or GPStocan
be used
tobe
synchronization
of RTCs.
If the
proposed
by [31]
during paging process;
IP or GPS
beof
used
to synchronization
RTCs.
If the devices
devices fail
to synchronization,
the mixture
ofcan
IRK
two
devices can be of
used
instead
of date
fail
to synchronization, the mixture of IRK of two devices can be used instead of date information.
information.
3.2.
3.2. Random
Random Number
Number Sharing
Sharing
Figure
the the
nonce
sharing
process
that uses
theuses
time interval
consecutive
Figure2 2illustrates
illustrates
nonce
sharing
process
that
the timebetween
intervaltwo
between
two
signals.
The signals.
information
delivered bydelivered
the two by
signals
is the
maximum
signal interval
consecutive
The information
the two
signals
is the maximum
signalbetween
interval
consecutive
signals. These
setsThese
of datasets
should
be as
short be
as possible
to save
energy.
Device
B calculates
between consecutive
signals.
of data
should
as short as
possible
to save
energy.
Device
the
values
necessary
to
process
SSP
with
the
transmitted
nonce.
B calculates the values necessary to process SSP with the transmitted nonce.
Figure
Figure 2.
2. Random
Random number
number selection
selection using
using signal
signal interval.
interval.
Figure 33 shows
shows the
the enhanced
enhanced version
version of Phase 2 of the SSP.
SSP. The
The reason
reason both
both parties
parties must
must check
check
Figure
Ca and
and Cb
Cb is
is to
to create
create aa pre-existing
pre-existing nonce
nonce for
for both
both devices.
devices. Both ra and rb are set to
to 00 in
in order
order to
to
Ca
adopt the
the legacy
legacy scheme
scheme of
of numeric
numeric comparison.
comparison. Ca
Ca and
and Cb
Cb are
are used
used to
to check
check ra and rb are
are properly
properly
adopt
transmitted. In
In addition,
addition, Va
Vaand
andVb
Vbare
areexchanged
exchangedto
toidentify
identifyeach
eachother.
other.
transmitted.
Due totocommunication
communication
delay,
signal
an abnormal
the intended
time
Due
delay,
signal
loss,loss,
or anorabnormal
devicedevice
status, status,
the intended
time interval
interval
might
not
be
transferred.
Therefore,
quantization
is
used
to
reduce
error
sensitivity
caused
might not be transferred. Therefore, quantization is used to reduce error sensitivity caused by physical
by physical environments.
Therefore,
can obtainlike
tolerance,
like the conversion
process
of
environments.
Therefore, this
schemethis
can scheme
obtain tolerance,
the conversion
process of an
analog
an analog
a digital signal.
signal
to a signal
digitalto
signal.
Sensors 2017, 17, 752
7 of 17
Sensors 2017, 17, 752
7 of 16
Sensors 2017, 17, 752
Device A
Device B
Device A
Select random Na
random
SetSelect
ra and
rb to 0Na
7 of 16
Device B
Select random Nb
Phase 2
Phase 2
Select
random
Set
ra and
rb toNb
0
Set ra and
rb to
0 0)
Ca = f1(PKax,
Pkbx,
Na,
ra andPkax,
rb to 0Nb, 0)
Cb = Set
f1(PKbx,
Ca = f1(PKax, Pkbx, Na, 0)
Cb = f1(PKbx, Pkax, Nb, 0)
If no previous nonce Na’ or Nb’,
If no have previous nonce Na’ or Nb’,
obtain a passkey from user and
obtain a passkey from user and
If no previous nonce Na’ or Nb’,
If no have previous nonce Na’ or Nb’,
calculate time interval
calculate time interval
obtain a passkey from user and
obtain a passkey from user and
calculate time interval
calculate time interval
Cb, Max of this time interval
Cb, Max
of this time interval
(Empty)
This time interval
represents
Nb
This time interval
This time interval
represents Na
This time interval
Ca, Max of(Empty)
this time interval
represents Na
Ca, Max of this time interval
(Empty)
represents Nb
(Empty)
Check whether Cb = f1(PKbx, Pkax, Nb, 0)
Check whether Ca = f1(PKax, Pkbx, Na, 0)
If check
abort Pkax, Nb, 0)
If check
abortPkbx, Na, 0)
Check whether
Cbfails,
= f1(PKbx,
Check whether
Ca =fails,
f1(PKax,
If check fails, abort
If check fails, abort
Va = g(Pkax, PKbx, Na, Nb)
Va = g(Pkax, PKbx, Na, Nb)
Va = g(Pkax, PKbx, Na, Nb)
Va = g(Pkax, PKbx, Na, Nb)
Each device checks whether Va=Vb
If check
fails,whether
abort Va=Vb
Each device
checks
If check fails, abort
Na and Nb are saved to be used as previous nonce at both A and B. If subsequent connection
Na A
and
NbBare
saved to by
be used
asA,
previous
nonce atnonce;
both A otherwise,
and B. If subsequent
between
and
is initiated
device
Na is previous
if initiatedconnection
by device B,
between A and B is initiated by device
is previous
nonce; otherwise, if initiated by device B,
NbA,is Na
previous
nonce.
Nb is previous nonce.
Figure
Figure 3.
3. SSP
SSPPhase
Phase22that
thatadopts
adoptsthe
theproposed
proposedscheme.
scheme.
Figure 3. SSP Phase 2 that adopts the proposed scheme.
Figure 4 is a block diagram showing the chip that calculates the quantization level and the signal
Figure
4 is4aisblock
diagram
showing
quantizationlevel
leveland
andthe
thesignal
signal
Figure
a block
diagram
showingthe
thechip
chipthat
thatcalculates
calculates the
the quantization
interval that generates the signals. The date information shows the time in ms units after 1 January
interval
thatthat
generates
the the
signals.
TheThe
datedate
information
shows
thethe
time
in ms
units
after
1 January
1970.
interval
generates
signals.
information
shows
time
in ms
units
after
1 January
1970. The connected device information shows the Bluetooth device address. The previously-saved
The1970.
connected
device information
shows the
Bluetooth
device address.
The previously-saved
nonce is
The connected
device information
shows
the Bluetooth
device address.
The previously-saved
nonce is searched for using this address. If no nonce was previously saved, the user must input the
searched
using this
no nonce
previously
saved, the
userthe
must
input
passkey.
nonce for
is searched
for address.
using thisIfaddress.
If was
no nonce
was previously
saved,
user
mustthe
input
the
passkey. The quantization level is calculated using the pre-existing nonce or passkey input, as well
The quantization
level is calculated
the pre-existing
nonce
or passkey
as as
well
Thepasskey.
quantization
level is calculated
using theusing
pre-existing
nonce or
passkey
input, input,
as well
the
as the date information, which are all shared by the two devices. Since the signal interval is calculated
the date information,
which
are all shared
thedevices.
two devices.
signal
interval
is calculatedby
dateasinformation,
which are
all shared
by theby
two
SinceSince
the the
signal
interval
is calculated
by multiplying the quantization level and random number, the signal receiver can determine the
by multiplying
the quantization
level
and random
number,
the receiver
signal receiver
can determine
the
multiplying
the quantization
level and
random
number,
the signal
can determine
the sender’s
sender’s random number by dividing the signal interval by the quantization level.
sender’s
random
number
by
dividing
the
signal
interval
by
the
quantization
level.
random number by dividing the signal interval by the quantization level.
Date
Date
information
information
Connected
Connected
Device
Device
information
information
Quantization
level
Quantization
level
calculator
calculator
Time
Timeinterval
interval
calculator
calculator
Connected
device
Connected
device
information
manager
information manager
&&
storage
storage
Random
Randomnumber
number
generation
generation
Signal
Signal
Interval
Interval
Figure
4.
of
the
device
paired
that
generates
Figure
4. Architecture
the
device
paired
that
generatesthe
thesignals
signalsrepresenting
representing
random
numbers.
Figure
4. Architecture
Architecture
of of
the
device
paired
that
generates
the
signals
representingrandom
randomnumbers.
numbers.
Sensors 2017, 17, 752
Sensors 2017, 17, 752
8 of 17
8 of 16
3.3.Quantization
QuantizationLevel
LevelManagement
Management
3.3.
3.3.1.
3.3.1.Quantization
QuantizationLevel
LevelInitialization
Initialization
Information
Informationfor
fordevices
devicespreviously
previouslyconnected
connectedand
andthe
thepre-existing
pre-existingnonce
nonceused
usedare
aresaved
savedand
and
managed
managedasasshown
shownininFigure
Figure4.4.During
Duringthe
theinitial
initialconnection,
connection,because
becausethe
theused
usedstorage
storagedoes
doesnot
not
contain
any
information
about
the
devices
to
be
connected,
the
user
must
input
a
64-bit
passkey.
contain any information about the devices to be connected, the user must input a 64-bit passkey.
Otherwise,
Otherwise,a afixed
fixedpasskey
passkeycan
canbebeused
usedbased
basedon
onthe
thedevices’
devices’I/O
I/Ocapabilities.
capabilities.Since
Sinceaapasskey
passkeyisisused,
used,
the
thequantization
quantizationlevel
levelisisdifferent
differentatateach
eachpairing.
pairing.However,
However,pairing
pairingdevices
devicescan
canachieve
achievethe
thesame
same
quantization
quantizationlevel
levelififthe
thesame
samepasskey
passkeyisisinput.
input.This
Thisinput
inputisisrequired
requiredwhenever
whenevernew
newdevices
devicesattempt
attempt
totoconnect.
connect.However,
However,once
oncethe
thepasskey
passkeyhas
hasbeen
beenentered
enteredfor
forthe
thedevice
devicepair,
pair,subsequent
subsequentconnections
connections
between
betweenthe
thedevice
devicepair
pairdo
donot
notrequire
requirea anew
newpasskey
passkeyfor
foreach
eachconnection.
connection.
The
iscalculated
calculatedatatthe
the
subsequent
circuit
as shown
in Figure
5. Incircuit,
this
Thequantization
quantization level is
subsequent
circuit
as shown
in Figure
5. In this
circuit,
theinformation
date information
is inunits
ms units
1 January
1970.
example,
thedate
dateinformation
informationis
the date
is in ms
afterafter
1 January
1970.
ForFor
example,
if if
the
is1445242302710
1445242302710and
andthe
thepasskey
passkeyisis 0,0, the
the value
value is
is 1445242302710
1445242302710 after the OR
OR gate
gate isis passed.
passed.
Subsequently,
is extracted
extractedfrom
fromthe
thelower
lowereight
eight
bits
after
passing
XOR
Subsequently,aa value
value of
of 129 is
bits
after
passing
thethe
XOR
gate.gate.
The
The
minimum
quantization
level
is 625
µsBluetooth
in Bluetooth
Therefore,
the result
of quantization
the quantization
minimum
quantization
level
is 625
µ s in
[9]. [9].
Therefore,
the result
of the
level
level
is 80.625
After
the quantization
is calculated,
as shown
in Figure
5, the
devices
multiply
is 80.625
ms. ms.
After
the quantization
levellevel
is calculated,
as shown
in Figure
5, the
devices
multiply
the
the
nonce
provided
therandom
randomnumber
numbergenerator
generatorby
by the
the quantization
quantization level. In
nonce
provided
byby
the
In this
this example,
example,ififthe
the
time
timeinterval
intervalunit
unitisisms,
ms,aasmall
smallnonce
noncecan
canresult
resultininaalarge
largetime
timeinterval.
interval.However,
However,ififthe
thequantization
quantization
level
levelunit
unitisisµs,
μs,the
thetime
timeinterval
intervalcan
canbe
bereduced.
reduced.When
Whenthe
thetime
timeinterval
intervalisisdelivered
deliveredto
tothe
thereceiver,
receiver,
the
thenonce
noncerepresents
representsthe
thequotient
quotientofofthe
thedivision
divisionofofthe
thetime
timeinterval
intervalbybythe
thequantization
quantizationlevel.
level.
Since
SinceBluetooth
Bluetoothcan
cansynchronize
synchronizetime
timewith
withcircumjacent
circumjacentdevices
devices[9],
[9],the
thedevices
devicescan
canuse
usethe
thesame
same
time.
time.IfIfaaconnection
connectionisissuccessful,
successful,information
informationon
onthe
theconnecting
connectingdevice
deviceand
andrandom
randomnumber
numberused
usedisis
saved
savedtotocreate
createthe
thenext
nextnew
newquantization
quantizationlevel.
level.
Date
information
[63:0]
[63:48]
Previous nonce
[63:0]
[31:16]
Minimum
Quantization
Level
[9:0]
[15:0]
[7:0]
[47:32]
Multiplyer
Quantization
Level
[17:0]
Figure5.5.Example
Exampleofofquantization
quantizationlevel
levelcalculator.
calculator.
Figure
Figure 5 provides an example of a quantization level calculator that conducts the renewal
Figure 5 provides an example of a quantization level calculator that conducts the renewal
process. The quantization level calculator can be modified based on the practical specifications of the
process. The quantization level calculator can be modified based on the practical specifications of the
real devices.
real devices.
3.3.2. Quantization Level Renewal
3.3.2. Quantization Level Renewal
If no renewal occurs, an adversary can obtain information about a quantization level when many
If no renewal occurs, an adversary can obtain information about a quantization level when many
pairing cases are observed. Therefore, the quantization level must be renewed.
pairing cases are observed. Therefore, the quantization level must be renewed.
When devices to be connected have, in fact, already connected (at an earlier time), the data
When devices to be connected have, in fact, already connected (at an earlier time), the data
recorded from that earlier connection exists in storage, as indicated in Figure 4. Figure 4 shows the
recorded from that earlier connection exists in storage, as indicated in Figure 4. Figure 4 shows the
architecture of the device to be paired in order to renew the quantization level. The new quantization
architecture of the device to be paired in order to renew the quantization level. The new quantization
level is calculated using the previous connection information. Two random variables exist. The
level is calculated using the previous connection information. Two random variables exist. The previous
previous nonce is a random number created by the device that initiates the connection. In Figure 3,
the random numbers are Na and Nb. The previous nonce is Na if the subsequent connection is
Sensors 2017, 17, 752
9 of 17
nonce is a random number created by the device that initiates the connection. In Figure 3, the random
numbers are Na and Nb. The previous nonce is Na if the subsequent connection is initiated by device
A. Since the saved nonce is the same for the devices to be connected, each device can calculate the
same result using this shared nonce.
Figure 6 shows the algorithm for the renewal process. Through this algorithm, the devices
can avoid leaking the renewed quantization level whenever the devices establish new connections.
When
a new
is established, the nonce changes. Therefore, the quantization level is renewed
Sensors 2017,
17,connection
752
9 of 16
whenever a new connection is established. The same signal intervals can represent different numbers
initiated
by device A.
Since
the saved
nonce the
is the
same can
for the
devices
be connected,
as the quantization
level
changes.
Therefore,
devices
protect
theirtodata
because theeach
thirddevice
party
can
calculate
the same
result
using
this shared nonce.
cannot
determine
the real
value
shared.
Set Initial Quantization level
Do you want to choose a random
number to be shared?
Yes
Measure the time interval between two consecutive signals
Extract the transmitted number
using the quantization levels
No
Was the same random number
chosen successfully?
Yes
Renew the quantization level by the transmitted number
Figure
Figure 6.
6. Quantization-level
Quantization-level renewal
renewal process.
process.
Figure 6 shows the algorithm for the renewal process. Through this algorithm, the devices can
3.4. Countermeasures for Packet Loss
avoid leaking the renewed quantization level whenever the devices establish new connections. When
The
loss rate iniswireless
communication
is greaterTherefore,
than that inthe
wired
communication.
a new
connection
established,
the nonce changes.
quantization
level is renewed
As explained
in Section is
3.3.1,
when devices
acquire
80.625
ms of quantization
if thenumbers
random
whenever
a new connection
established.
The same
signal
intervals
can representlevel,
different
number
generator
changes
the
nonce
to
8,
the
signal
interval
becomes
645
ms.
However,
one
two
as the quantization level changes. Therefore, the devices can protect their data because the thirdofparty
consecutive
signals
can
bevalue
lost. To
solve this problem, this study proposes that every signal have its
cannot
determine
the
real
shared.
data express the maximum signal interval as shown in Figure 3. The receiver waits for the next signal
3.4.
Countermeasures
Packet
Loss If the maximum signal interval expires, the receiver will conclude
during
the maximumfor
signal
interval.
that the second signal is lost, and require a new signal interval. If an empty signal is delivered first,
The loss rate in wireless communication is greater than that in wired communication.
the receiver will know that the first signal is lost. The maximum signal interval is calculated using
As explained in Section 3.3.1, when devices acquire 80.625 ms of quantization level, if the
Equation (1):
random number generator changes the nonce to 8, the signal interval becomes 645 ms. However, one
M = (1 + X) P
(1)
of two consecutive signals can be lost. To solve this problem, this study proposes that every signal
have itsMdata
themaximum
maximumand
signal
interval
as shown
in Figure
3. The receiver
waits
the
where
andexpress
P are the
intended
signal
intervals,
respectively.
X should
be afor
value
next
signal
during
the maximum
If signal
the maximum
signal interval
the receiver
between
0 and
1. However,
if X issignal
very interval.
small, the
can be ignored
when aexpires,
slight delay
occurs.
will
concludeifthat
and
a newdelay
signalisinterval.
If an empty
is
For example,
P isthe
645second
ms andsignal
X is 0,isMlost,
is 645
ms.require
If the signal
1 ms, a 646-ms
signalsignal
interval
delivered
first, theHowever,
receiver will
that thebefirst
signalInisthis
lost.case,
Thethe
maximum
interval
is
would
be sensed.
this know
value would
invalid.
receiver signal
requires
that the
calculated
using Equation
(1):
sender retransmit
two consecutive
signals. In addition, if X is a large value, the receiver must wait
for the lost packet during the surplus time. Therefore, it is proper for X = 0.5, academically speaking.
M = (1 + X) P
(1)
Nonetheless, the value of X can be adjusted to reduce the error rate caused by the poor status of
where
M andcommunication.
P are the maximum
and intended
signal
respectively.
X should
be aon
value
the physical
The transmitter
sets
X to intervals,
0.5 initially
and can adjust
X based
the
between
0
and
1.
However,
if
X
is
very
small,
the
signal
can
be
ignored
when
a
slight
delay
occurs.
authentication success rate.
For example, if P is 645 ms and X is 0, M is 645 ms. If the signal delay is 1 ms, a 646-ms signal interval
would be sensed. However, this value would be invalid. In this case, the receiver requires that the
sender retransmit two consecutive signals. In addition, if X is a large value, the receiver must wait for
the lost packet during the surplus time. Therefore, it is proper for X = 0.5, academically speaking.
Nonetheless, the value of X can be adjusted to reduce the error rate caused by the poor status of the
physical communication. The transmitter sets X to 0.5 initially and can adjust X based on the
authentication success rate.
Sensors 2017, 17, 752
10 of 17
3.5. Transmitted Value Management
Since attackers can mimic the authentication of normal devices or attempt to use brute force
during attacks using clues from the maximum signal interval, when a counterpart transmits the wrong
Sensors 2017, 17, 752
authentication
value, the devices stops the pairing process, as in the current association model.10 of 16
3.6. Counterfeit Detection
With
interval.
Thus,
if
With the
the proposed
proposedmodel,
model,the
thenonce
noncecan
canbe
berecognized
recognizedbybyestimating
estimatingthe
thesignal
signal
interval.
Thus,
any
attacker
watches
if any
attacker
watchesthe
thesignals
signalsand
andcopies
copiesthem,
them,the
theaccurate
accuratevalue
value cannot
cannot be
be transferred
transferred to the
receiver because the signal interval between two consecutive signals is different from the intended
interval.
interval. In other words, the receiver cannot be authenticated. To prevent this situation, when a device
perceives
perceives an
an imitated
imitated signal,
signal, the
the device
device creates
creates aa new device address.
address. If old and new device addresses
from identical devices exist, the receiver
receiver ignores
ignores the
the old
old device
device addresses.
addresses.
4.
Evaluation
4. Evaluation
To
To analyze
analyze the
the security
security of
of the
the proposed
proposed scheme,
scheme, the
the attack
attack scenario
scenario suggested
suggested by
by [11],
[11], in
in which
which
the
passkey
entry
is
violated,
is
used
here.
This
is
because
the
proposed
method
in
this
study
the passkey entry is violated, is used here. This is because the proposed method in this study uses
uses
passkey
passkey entry
entry and
and numeric
numeric comparison
comparison to
to improve
improve the
the security
security of
of the
the current
current passkey
passkeyentry.
entry.
The
repeated
using
a bit
number
of
The passkey
passkey entry
entrymethod
methodisisillustrated
illustratedininFigure
Figure7.7.The
Theprocess
processis is
repeated
using
a bit
number
the
passkey.
Note
that
ra
and
rb
in
each
round
are
the
values
of
the
bits
of
the
passkey.
The
passkey
of the passkey. Note that ra and rb in each round are the values of the bits of the passkey. The passkey
entry
entry uses
uses ra,
ra, rb,
rb, Na,
Na, and
and Nb
Nb of
of the
the last
last round
round in
in Phase
Phase 33 as
as well.
well.
Device A
Device B
User
Inject secret ra Set
ra = rb
Inject secret rb Set
rb = ra
Select random Na
Select random Nb
Ca = f1(PKax,
Pkbx, Na, ra)
Cbi = f1(PKbx,
Pkax, Nb, rb)
Ca
Cb
Na
Check if Ca = f1(PKax,
Pkbx, Na, rb)
If check fails, abort
Nb
Check if Cb = f1(PKbx,
Pkax, Nb, ra)
If check fails, abort
Figure 7.
7. Passkey
entry [9].
[9].
Figure
Passkey entry
The point of these attack scenarios is to implement to identify an MITM in Phase 1 and determine
the last bit of the passkey. All information used after Phase 1 can be monitored because it is
transmitted in plain text. The last bit of the passkey is then used for ra and rb. In this case, ra and rb
are identical because the passkeys of the pairing devices are the same. The attacker can easily
determine rx by calculating Cx and then comparing the calculated and transmitted values using
legitimate pairing devices because the last bit is 0 or 1.
Moreover, the legacy SSP has a security flaw a fixed passkey is used. This is because ra and rb
Sensors 2017, 17, 752
11 of 17
The point of these attack scenarios is to implement to identify an MITM in Phase 1 and determine
the last bit of the passkey. All information used after Phase 1 can be monitored because it is transmitted
in plain text. The last bit of the passkey is then used for ra and rb. In this case, ra and rb are identical
because the passkeys of the pairing devices are the same. The attacker can easily determine rx by
calculating Cx and then comparing the calculated and transmitted values using legitimate pairing
devices because the last bit is 0 or 1.
Moreover, the legacy SSP has a security flaw a fixed passkey is used. This is because ra and rb
are always the same in all pairing processes (they are either 0 or 1). In addition, Nx is transmitted
in plain text. Therefore, an adversary can obtain all information during the SSP process. By contrast,
an adversary cannot determine Na and Nb easily using the time interval of our scheme because this
interval is already included in the nonce (Nx) and uses all bits of the passkey. This proposed method
does not directly reveal both the passkey and nonce.
Therefore, the proposed scheme can be applied when a pairing device has a fixed passkey. A fixed
passkey is not renewed. However, after the first pairing, the pre-existing nonce is used instead of date
information. Therefore, an adversary cannot assume or detect the quantization level and thus extract
the nonce from the current time interval.
In addition, Table 3 shows the comparison of existing protocols with our approach. The proposed
method does not need any extra device, but shows high accuracy.
Table 3. Comparison of existing protocols with our approach.
MITM
Existing SSP [9]
Diallo [25]
Biswas [26]
Pasanen [27]
Our Study
4 (All scheme except
numeric comparison)
4 (Connection
of new device)
4 (Infiltrating attacker
in the piconet)
X
X
Number of devices
2
3
At least 3
2
2
Accuracy
Not mentioned
Not mentioned
Not mentioned
About 70%
About 95%
O: Possible, 4: Partially Possible, X: Impossible, (): Possible Case or Method.
5. Experiments
5.1. Accuracy Test Settings
An experiment was conducted in which a nonce used to create a key or to authenticate devices
is represented by a signal interval between two consecutive signals of Bluetooth low energy (BLE).
BLE was used because Bluetooth classic has its time slot of 625 µs and the advertisement function of
BLE has the signal interval that is a time slot of 625 µs in the range from 20 ms to 10.24 s. Some delay is
added to the signal interval [9]. The delay of BLE can be negated by adjusting the quantization level.
The checkpoint is the location to which an intended value is transferred. It is assumed that the initial
quantization level had been determined in advance and that other information used to authenticate each
device had been exchanged, with the exception of the nonce. After nonce transmission, a device does
not respond to the other device and simply displays that value. In addition, this test ignores the manner
in which authentication fails, i.e., the renewal of the quantization level through the authentication value,
and saving or deleting the transferred value.
Bluetooth beacon signals were used in this experiment. A desktop equipped with a Bluetooth
dongle and using Ubuntu OS transmitted the beacon signals to a laptop equipped with the same
Bluetooth dongle and Ubuntu OS. Specifications for the desktop PC were as follows: Intel core i7-4790
CPU and 8 GB RAM. The laptop had an Intel core i5-3230M CPU and 4 GB RAM.
The transmitted nonce was compared with the number calculated by the laptop by estimating the
signal interval between two consecutive signals. The Bluetooth dongle was a ZIO BT40 of Bluetooth
CSR 4.0 made by ZIO company in goyang of Korea, which supports Bluetooth 4.0. The distance
between two devices was 50 cm. The intended signal intervals were 62.5 ms, 313 ms, and 625 ms.
The valid value was assumed to be between the intended time intervals of −10 ms and +10 ms.
Sensors 2017, 17, 752
12 of 17
Each signal contained information that the maximum signal interval was 100 ms, 500 ms, and 1 s.
For the beacon, the feedback for packet loss was set so that it need not be considered. In addition, the
device was set so that it waited for subsequent signals that were repeatedly transmitted. If the device
was not a beacon, the feedback might not have been required when packet loss occurred. Through such
feedback, the transmitter could generate new signals. The given signal intervals represent values such
as 100, 500, 1000.
5.2. Quantization Level Management
5.2.1. Effect of Maximum Signal Interval
Before conducting an actual experiment, a test was performed to determine the influence of the
maximum signal interval.
The distance between two devices was 50 cm. In addition, 62.5 ms of the time interval represents
a value of 100. The signal interval was ignored if it exceeded the maximum, and was measured again.
In this situation, the average signal intervals, standard deviation, and accuracy were estimated.
Table 4 lists the results. By adapting the maximum signal interval, an improved outcome was
obtained with higher accuracy and a time interval that was close to that intended in comparison to the
outcomes obtained when not adapting it.
Table 4. Effect of maximum signal interval.
Classification
Time Interval (ms)
Accuracy (%)
Adapted
Not adapted
67.15 ± 2.14
78.13 ± 28.2
98.67
81.58
Table 5 describes the accuracy of the transferred nonce through the time interval between signals.
The results indicate an accuracy of approximately 95% to 98%. This result is considered in order to
determine the quantization level. In addition, the time for the quantization level should be longer than
the overhead of the estimated time interval in order to reduce the error rate.
Table 5. Random number mapping.
Random Number
Time Interval (ms)
Accuracy (%)
100
500
1000
67.16 ± 2.92
317.23 ± 3.32
629.81 ± 3.04
98.67
94.67
98.67
5.2.2. Signal Interval between Correct Values Based on Distance
Figure 8 shows the time necessary to obtain an accurate nonce based on the distance between the
devices that are to be connected. In other words, Figure 8 shows the time interval between accurate
nonce acquisition and the next accurate nonce acquisition. The experiment showed how the proposed
model was affected by signal loss, meaning that if the communication environment was bad, the
scheme does not work effectively. No obstacle was present between the two devices. The time interval
required to obtain accurate nonces increased rapidly at a distance longer than 10 m. In other words,
the proposed model is effective within 10 m.
the devices that are to be connected. In other words, Figure 8 shows the time interval between
accurate nonce acquisition and the next accurate nonce acquisition. The experiment showed how the
proposed model was affected by signal loss, meaning that if the communication environment was
bad, the scheme does not work effectively. No obstacle was present between the two devices. The
time interval required to obtain accurate nonces increased rapidly at a distance longer than 10 m. In
Sensors 2017, 17, 752
13 of 17
other words, the proposed model is effective within 10 m.
Figure 8. Random number sharing affected by signal loss.
loss.
5.2.3. Interference Effect
Effect
Sensors
2017, 17, 752
of 16
Wireless
communication
show
Wireless
communication can
can be
be affected
affected by
by interference.
interference. An experiment was conducted to13
the interference effect. The
The number
numberof
ofdevices
devicesaccessing
accessingBLE
BLEsignal
signalininthe
thesame
samechannel
channelwas
wasset
setasasa
avariable.
variable.The
TheBLE
BLEsignal
signalinterval
intervalwas
waschosen
chosenas
as20
20ms,
ms,which
whichisisthe
theminimum
minimum BLE
BLE signal
signal interval
interval [9],
[9],
to show
show an
an obvious
obvious inference
inference effect
effect in
in this
this experiment
experiment (except
(exceptBLE
BLEdelay).
delay).
to
Figure 99 describes
describes the
the interference
interference effect
effect depending
depending on
Figure
on the
the number
number of
of devices
devices sending
sending signals.
signals.
This
experiment
was
designed
to
show
an
environment
of
the
proposed
scheme
in
This experiment was designed to show an environment of the proposed scheme in aa busy
busy channel.
channel.
The number
devices
sending
or receiving
a packet
every
20 ms.
The
number of
of devices
devicesmeans
meansthe
thenumber
numberofof
devices
sending
or receiving
a packet
every
20 The
ms.
factor
of
the
distance
causes
packet
loss.
Therefore,
the
accuracy
would
be
similar
in
any
distance
The factor of the distance causes packet loss. Therefore, the accuracy would be similar in any distance
when the
the minimum
minimum signal
signal interval
interval is
is set.
set. Conversely,
the interference
interference effect
effect may
may lead
lead to
to some
some delay
delay
when
Conversely, the
and then
then decrease
decrease accuracy.
accuracy. When
five devices
devices sending
sending signals
signals every
every 20
20 ms
ms were
were on
on different
different
and
When all
all five
channels
from
the
device
transferring
nonce,
the
result
was
similar
to
that
shown
in
Table
4.
channels from the device transferring nonce, the result was similar to that shown in Table 4.
Figure 9.
9. Random
number sharing
sharing affected
affected by
by interference
interference effect.
effect.
Figure
Random number
This experiment shows an extreme case because the BLE interval in this experiment was set to
This experiment shows an extreme case because the BLE interval in this experiment was set
the minimum. In an ordinary case, the beacon signal interval is set to be longer to reduce power
to the minimum. In an ordinary case, the beacon signal interval is set to be longer to reduce power
consumption. Further, when a channel is busy, the device can change the advertisement channel to
consumption. Further, when a channel is busy, the device can change the advertisement channel to
diminish the interference effect [9]. If all channels are busy, the quantization level can be greater for
diminish the interference effect [9]. If all channels are busy, the quantization level can be greater for
better performance.
better performance.
5.2.4. Implementation
Implementation of
of Random
Random Number
Number Mapping
Mapping
5.2.4.
Many studies
information
meant
to be
through
a secure
route
Many
studies have
haveobtained
obtainedsensitive
sensitive
information
meant
toprocessed
be processed
through
a secure
within
hardware
chips
[32–34].
To
improve
security,
hardware
implementation
has
often
been
route within hardware chips [32–34]. To improve security, hardware implementation has often been
considered [35]. To this effect, we implemented a field-programmable gate array (FPGA), namely,
the Spartan6 XC6LX from Xilinx, and analyzed it using ISE based on Figure 6. The date information
contained the current time expressed by a 64-bit integer, and the quantization level result was
expressed by 8-bit data.
Table 6 lists the time required to obtain a result after the input of each signal. As indicated in
Sensors 2017, 17, 752
14 of 17
considered [35]. To this effect, we implemented a field-programmable gate array (FPGA), namely,
the Spartan6 XC6LX from Xilinx, and analyzed it using ISE based on Figure 6. The date information
contained the current time expressed by a 64-bit integer, and the quantization level result was expressed
by 8-bit data.
Table 6 lists the time required to obtain a result after the input of each signal. As indicated in
Table 6, the devices could acquire high-speed processing if a digital circuit was produced to implement
the proposed model. In this experiment, the device required a processing time of within 16 ns.
Table 6. Process time of random number mapping.
Input
Processing Time (ns)
Date information
Previous nonce
Minimum quantization level
12.202–15.675
12.713–15.601
10.882–12.714
5.3. Overhead Analysis
In the proposed method, a busy waiting time occurs for receiving two signals. However, this
waiting time is not long when considering the communication time of Bluetooth signals.
The time intervals in the program used in our experiment were set to 62.5, 313, and 625 ms.
However, the estimated values had about 4~5 ms of errors on average because of advertisement
delay [9]. Thus, this error is reduced.
To consider the storage space required, this study used the circuit shown in Figure 6. In this circuit,
the nonce and Bluetooth device address size were set to 8 and 6 bytes, respectively. Therefore, the
required storage was 14 bytes per device. This means that if the device saved information about
1000 devices to be connected, it required 1.4 Kbytes. If the devices used 16 bytes of nonce, the devices
required 22 bytes per device.
6. Conclusions
This study proposed an improved SSP to transfer nonces through signal intervals between two
consecutive signals. A non-encrypted nonce was transferred because the devices had not already
created a key in SSP. Therefore, attackers could eavesdrop on, and collect information related to, key
creation. In this association model, even if attackers eavesdropped on the signals, because they could
not determine the quantization level, they were unable to determine what was being transferred.
Furthermore, we showed that the proposed model does not require exchanging passkeys as data and
that devices are secure when using a fixed PIN. The devices to be connected obtained the shared
passkey that was inputted initially by the user or that was fixed in order to calculate the quantization
level. Subsequently, the new quantization level was calculated automatically whenever the same
devices attempted to connect with each other.
In addition, we showed that applying the proposed scheme to other WSN is possible when the
protocol includes a nonce transmission process. In other words, the nonce can be delivered using
a time interval.
Although numeric comparison and passkey entry require user confirmation whenever devices
connect, we showed that the proposed model does not require additional user interference, except
in the initial device connection. In WPAN, the pairing devices are constant. Therefore, the proposed
association model can provide convenience and is effective for users.
In addition, we suggested a hardware implementation to prevent software hacking.
However, measuring the interval between two consecutive signals may be occasionally incorrect in
multitasking environments. Moreover, this method is inefficient in high packet loss rate environments.
Sensors 2017, 17, 752
15 of 17
Therefore, applying the proposed random number sharing to near-field communication of IoTs
would be effective. The target IoT devices to be connected should possess low specifications that
cannot or do not require multitasking or overload applications.
Acknowledgments: This work was supported by the ICT R&D program of MSIP/IITP (B0101-15-0266,
Development of High Performance Visual BigData Discovery Platform for Large-Scale Realtime Data Analysis), and
the MSIP (Ministry of Science, ICT and Future Planning) under the ITRC (Information Technology Research Center)
support program (IITP-2016-H8501-16-1013) supervised by the IITP (Institute for Information & communication
Technology Promotion), South Korea.
Author Contributions: J.M., I.Y.J., and J.Y. conceived and designed the experiments; J.M. performed the
experiments; J.M. and I.Y.J. analyzed the data; J.M. wrote the first draft paper; I.Y.J. and J.Y. re-organized and
corrected the paper.
Conflicts of Interest: The authors declare no conflict of interest.
Abbreviations
WSN
WPANs
MITM
SSP
IoT
OOB
DH
WPANs
RSSI
IRK
FPGA
Wireless Sensor Network
Wireless Personal Area Networks
Man-In-The-Middle
Simple Secure Pairing
Internet of Things
Out of Band
Diffie-Hellman
Wireless Personal Area Networks
Received Signal Strength Indication
Identity Resolving Key
Field-Programmable Gate Array
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Krco, S. Bluetooth Based Wireless Sensor Networks—Implementation Issues and Solutions. Invited paper.
In Proceedings of the 10th Telecommunications Forum Telfor 2002, Belgrade, Serbia, 26–28 November 2002.
Evans, D. The Internet of Things How the Next Evolution of the Internet Is Changing Everything; Cisco Internet
Business Solutions Group: San Jose, CA, USA, 2011.
Miller, S.K. Facing the challenge of wireless security. Computer 2001, 34, 16–18. [CrossRef]
Go, J.; Park, J.; Kim, K. Wireless Authentication Protocol Preserving User Anonymity. In Proceedings of the
Wireless Personal Multimedia Communications, Aalborg, Denmark, 9–12 September 2001; pp. 1153–1158.
Joos, R.R.; Tripathi, A.R. Mutual Authentication in Wireless Networks; Technical Report; Department of
Computer Science, University of Minnesota: Minneapolis, MN, USA, 1997.
Rahman, M.G.; Imai, H. Security in wireless communication. Wirel. Pers. Commun. 2002, 22, 213–228.
[CrossRef]
Suomalainen, J.; Valkonen, J.; Asokan, N. Security Associations in Personal Networks: A Comparative
Analysis. In Proceedings of the European Workshop on Security in Ad-Hoc and Sensor Networks, Cambridge,
UK, 2–3 July 2007; Volume 4572, pp. 43–57.
Sadeghzadeh, S.H.; Shirazani, S.J.M.; Mosleh, M. A new secure scheme purposed for recognition and
authentication protocol in Bluetooth environment. In Proceedings of the Advanced Communication
Technology (ICACT), Phoenix Park, Korea, 7–10 February 2010; pp. 1326–1331.
Bluetooth Special Interest Group. Bluetooth Core Specification Version 4.2; Bluetooth SIG: Kirkland, WA,
USA, 2014.
Forouzan, B.A. Cryptography and Network Security, International ed.; McGraw-Hill: New York, NY, USA,
2008; pp. 449–451.
Barnickel., J.; Wang, J.; Meyer, U. Implementing an Attack on Bluetooth 2.1+ Secure Simple pairing in
Passkey Entry Mode. In Proceedings of the Trust, Security and Privacy in Computing and Communications
(TrustCom), Liverpool, UK, 25–27 June 2012; pp. 17–24.
Sensors 2017, 17, 752
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
16 of 17
Haataja, K. Security Threats and Countermeasures in Bluetooth-Enabled Systems. Ph.D. Thesis, University of
Kuopio, Kuopio, Finland, 6 February 2009.
Hyppönen, K.; Haataja, K. Niño Man-In-The-Middle Attack on Bluetooth Secure Simple Pairing.
In Proceedings of the IEEE Third International Conference in Central Asia on Internet, the Next Generation
of Mobile, Wireless and Optical Communications Networks, Tashkent, Uzbekistan, 26–28 September 2007;
pp. 1–5.
Haataja, K.; Hyppönen, K. Man-In-The-Middle Attacks on Bluetooth: A Comparative Analysis, a Novel Attack,
and Countermeasures. In Proceedings of the IEEE Third International Symposium on Communications,
Control and Signal Processing, St. Julians, Malta, 12–14 March 2008; pp. 1096–1102.
Haataja, K.; Toivanen, P. Practical Man-In-The Middle Attacks against Bluetooth Secure Simple Pairing.
In Proceedings of the 4th IEEE International Conference on Wireless Communications, Networking and
Mobile Computing, Dalian, China, 12–14 October 2008; pp. 1–5.
Lathi, B.P. Modern Digital and Analog Communication Systems, 3rd ed.; Oxford University Press: Oxford, UK,
1998; pp. 264–267.
Kim, B.; Lim, J.; Park, C. Analysis of ZigBee Security Mechanism. J. Secur. Eng. 2012, 9, 417–428.
The Institute of Electrical and Electronics Engineers. Standard for Local and Metropolitan Area Networks—
Port-Based Network Access Control; IEEE Std 802.1X; IEEE: Piscataway, NJ, USA, 2001.
The Institute of Electrical and Electronics Engineers. Wireless LAN medium Access Control (MAC) and Physical
Layer (PHY) Specification: Enhancements for Higher Throughput; IEEE Std 802.11n; IEEE: Piscataway, NJ,
USA, 2006.
The Institute of Electrical and Electronics Engineers. LAN Medium Access Control (MAC) and Physical Layer
(PHY) Specifications Amendment 6: Medium Access Control (MAC) Security Enhancements; IEEE Std 802.11i;
IEEE: Piscataway, NJ, USA, 2004.
The Institute of Electrical and Electronics Engineers. IEEE Standard for Information Technology-Telecommunications
and Information Exchange between Systems-Local and Metropolitan Area Networks-Specific Requirements—Part 11:
Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications; IEEE: Piscataway, NJ,
USA, 2007.
Sastry, N.; Wagner, D. Security considerations for IEEE 802.15.4 networks. In Proceedings of the 2004 ACM
Workshop on Wireless security, Philadelphia, PA, USA, 1 October 2004; pp. 32–42.
Oh, S.; Choi, S.; Kwon, Y.; Park, C. Secure Key Distribution Protocol for ZigBee Wireless Sensor Network.
J. Korea Inst. Inf. Secur. Cryptol. 2012, 22, 745–759.
Tao, S.; Fuhua, H.; Jie, C.; Jianwei, L. A Security-enhanced Key Distribution Scheme for AODVjr Routing
Protocol in ZigBee Networks. Chin. J. Electron. 2013, 22, 577–582.
Diallo, A.S.; Al-Khateeb, W.F.M.; Olanrewaju, R.F.; Sado, F. A Secure Authentication Scheme for Bluetooth
Connection. In Proceedings of the Computer and Communication Engineering, Kuala Lumpur, Malaysia,
23–25 September 2014; pp. 60–63.
Biswas, S.; Afzal, S.R.; Koh, J.; Hasan, M.; Lee, G.; Kim, D. A Key Establishment Scheme for Providing Secure
Multicasting over Bluetooth Scatternets. In Proceedings of the Communications and Networking in China,
Shanghai, China, 22–24 August 2007; pp. 301–306.
Pasanen, S.; Haataja, K.; Paivinen, N.; Toivanen, P. New Efficient RF Fingerprint-Based Security Solution for
Bluetooth Secure Simple Pairing. In Proceedings of the System Sciences, Koloa, HI, USA, 5–8 January 2010;
pp. 1–8.
Rasmussen, K.B.; Capkun, S. Implications of radio fingerprinting on the security of sensor networks.
In Proceedings of the Security and Privacy in Communications Networks and the Workshops, Nice, France,
17–21 September 2007; pp. 331–340.
Teoh, A.; Ong, T.S. Secure biometric template protection via randomized dynamic quantization transformation.
In Proceedings of the Biometrics and Security Technologies, Islamabad, Pakistan, 23–24 April 2008; pp. 1–6.
Akyol, E.; Rose, K. On Constrained Randomized Quantization. IEEE Trans. Signal Process. 2013, 61, 3291–3302.
[CrossRef]
Eliasson, J.; Lundberg, M.; Lindgren, P. Time synchronous Bluetooth sensor networks. In Proceedings of
the IEEE Consumer Communications and Networking Conference, Las Vegas, NV, USA, 8–10 January 2006;
pp. 336–340.
Sensors 2017, 17, 752
32.
33.
34.
35.
17 of 17
Smith, S.W.; Weingart, S.H. Building a High Performance, Programmable Secure Coprocessor. Comput. Netw.
1999, 31, 831–860. [CrossRef]
Hely, D.; Flottes, M.-L.; Bancel, F.; Rouzeyre, B.; Berard, N.; Renovell, M. Scan design and secure chip.
In Proceedings of the On-Line Testing Symposium, Funchal, Portugal, 12–14 July 2004; pp. 219–224.
Zhang, L.; Wen, S.; Wang, R.; Zhang, G. A System Architecture Design Scheme of the Secure Chip Based on
SoC. In Proceedings of the Intelligent Systems and Applications, Wuhan, China, 23–24 May 2009; pp. 1–4.
Suh, G.E.; O’Donnell, C.W.; Devadas, S. Aegis: A Single-Chip Secure Processor. Des. Test Comput. 2007, 24,
570–580. [CrossRef]
© 2017 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access
article distributed under the terms and conditions of the Creative Commons Attribution
(CC BY) license (http://creativecommons.org/licenses/by/4.0/).